Don't link sftp, sftp-server or scp with libcrypto

Darren Tucker dtucker at dtucker.net
Tue Jul 12 23:18:31 AEST 2022 

Hi.

This applies on top of my previous patch cleaning up libcrypt and stops
linking scp, sftp and sftp-server against libcrypto.  Why do this?
Well for one reason these components sometimes get used independently
of ssh/sshd (eg in OpenWRT where they can be used with Dropbear) and
it'd be nice if I could have sftp on space constrained devices without
the currently-required but not strictly necessary additional libraries.

The same thing can be done with zlib but that's the next patch.

diff --git a/Makefile.in b/Makefile.in
index 3c285682..338976c8 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -49,6 +49,7 @@ CFLAGS_NOPIE=@CFLAGS_NOPIE@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 PICFLAG=@PICFLAG@
 LIBS=@LIBS@
+CRYPTOLIBS=@CRYPTOLIBS@
 K5LIBS=@K5LIBS@
 GSSLIBS=@GSSLIBS@
 SSHDLIBS=@SSHDLIBS@
@@ -208,34 +209,34 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS)
+	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(GSSLIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CRYPTOLIBS) $(GSSLIBS) $(K5LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
-	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
-	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
-	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
-	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
-	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS)
 
 ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
-	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(CRYPTOLIBS) $(LIBFIDO2)
 
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
-	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CRYPTOLIBS)
 
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
diff --git a/configure.ac b/configure.ac
index 7bb1d711..9a18e8dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2696,8 +2696,11 @@ AC_ARG_WITH([ssl-engine],
 	]
 )
 
+CRYPTOLIBS=""
+nocrypto_saved_LIBS="$LIBS"
 if test "x$openssl" = "xyes" ; then
-	LIBS="-lcrypto $LIBS"
+	CRYPTOLIBS="-lcrypto"
+	LIBS="$CRYPTOLIBS $LIBS"
 	AC_TRY_LINK_FUNC([RAND_add], ,
 	    [AC_MSG_ERROR([*** working libcrypto not found, check config.log])])
 	AC_CHECK_HEADER([openssl/opensslv.h], ,
@@ -2860,7 +2863,6 @@ if test "x$openssl" = "xyes" ; then
 		],
 		[
 			AC_MSG_RESULT([no])
-			saved_LIBS="$LIBS"
 			LIBS="$LIBS -ldl"
 			AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
 			AC_LINK_IFELSE(
@@ -2868,10 +2870,10 @@ if test "x$openssl" = "xyes" ; then
 				[[ ERR_load_crypto_strings(); ]])],
 				[
 					AC_MSG_RESULT([yes])
+					CRYPTOLIBS="$CRYPTOLIBS -ldl"
 				],
 				[
 					AC_MSG_RESULT([no])
-					LIBS="$saved_LIBS"
 				]
 			)
 		]
@@ -3263,25 +3265,6 @@ AC_CHECK_FUNCS([ \
 	arc4random_uniform \
 ])
 
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([iaf], [ia_openinfo], [
-	LIBS="$LIBS -liaf"
-	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
-				AC_DEFINE([HAVE_LIBIAF], [1],
-			[Define if system has libiaf that supports set_id])
-				])
-])
-LIBS="$saved_LIBS"
-
-# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
-saved_LIBS="$LIBS"
-AC_CHECK_LIB([crypt], [crypt], [
-	LIBS="-lcrypt $LIBS"
-	SSHDLIBS="-lcrypt $SSHDLIBS"
-])
-AC_CHECK_FUNCS([crypt])
-LIBS="$saved_LIBS"
-
 ### Configure cryptographic random number support
 
 # Check whether OpenSSL seeds itself
@@ -3310,6 +3293,8 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 fi
+LIBS="$nocrypto_saved_LIBS"
+AC_SUBST([CRYPTOLIBS])
 
 # PRNGD TCP socket
 AC_ARG_WITH([prngd-port],
@@ -3399,6 +3384,24 @@ else
 	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
 fi
 
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([iaf], [ia_openinfo], [
+	LIBS="$LIBS -liaf"
+	AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
+				AC_DEFINE([HAVE_LIBIAF], [1],
+			[Define if system has libiaf that supports set_id])
+				])
+])
+
+# Check for crypt() in libcrypt.  If we have it, we only need it for sshd.
+saved_LIBS="$LIBS"
+AC_CHECK_LIB([crypt], [crypt], [
+	LIBS="-lcrypt $LIBS"
+	SSHDLIBS="-lcrypt $SSHDLIBS"
+])
+AC_CHECK_FUNCS([crypt])
+LIBS="$saved_LIBS"
+
 # Check for PAM libs
 PAM_MSG="no"
 AC_ARG_WITH([pam],
@@ -5635,6 +5638,9 @@ echo "    Compiler flags: ${CFLAGS}"
 echo "Preprocessor flags: ${CPPFLAGS}"
 echo "      Linker flags: ${LDFLAGS}"
 echo "         Libraries: ${LIBS}"
+if test ! -z "${CRYPTOLIBS}"; then
+echo "           +crypto: ${CRYPTOLIBS}"
+fi
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
diff --git a/scp.c b/scp.c
index da07e64e..f9ca5d39 100644
--- a/scp.c
+++ b/scp.c
@@ -455,8 +455,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	msetlocale();
 
 	/* Copy argv, because we modify it */
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d36..2c70f89b 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
@@ -42,8 +42,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	if ((user_pw = getpwuid(getuid())) == NULL) {
 		fprintf(stderr, "No user found for uid %lu\n",
 		    (u_long)getuid());
diff --git a/sftp.c b/sftp.c
index c880f166..939b8dc0 100644
--- a/sftp.c
+++ b/sftp.c
@@ -2406,8 +2406,6 @@ main(int argc, char **argv)
 	sanitise_stdfd();
 	msetlocale();
 
-	seed_rng();
-
 	__progname = ssh_get_progname(argv[0]);
 	memset(&args, '\0', sizeof(args));
 	args.list = NULL;
-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list